[GIT PULL] dlm fixes for 2.6.31-rc3

From: David Teigland
Date: Tue Jul 14 2009 - 15:15:34 EST

Next message: Daniel GlÃckner: "[PATCH v3] gpiolib: allow poll(2) on gpio value"
Previous message: Raistlin: "Re: RFC for a new Scheduling policy/class in the Linux-kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linus,

Please pull three dlm fixes from:

git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm.git for-linus

One fixes a socket leak people have been reporting, another fix for a posix
lock regression from several releases ago, and a warning removal. Full
patches included for review.
Thanks,
Dave

Casey Dahlin (1):
dlm: free socket in error exit path

David Teigland (1):
dlm: fix plock use-after-free

Steven Whitehouse (1):
dlm: Fix uninitialised variable warning in lock.c

fs/dlm/lock.c | 2 +-
fs/dlm/lowcomms.c | 4 +++-
fs/dlm/plock.c | 17 ++++++++++-------
3 files changed, 14 insertions(+), 9 deletions(-)

commit a89d63a159b1ba5833be2bef00adf8ad8caac8be
Author: Casey Dahlin <cdahlin@xxxxxxxxxx>
Date: Tue Jul 14 12:17:51 2009 -0500

dlm: free socket in error exit path

In the tcp_connect_to_sock() error exit path, the socket
allocated at the top of the function was not being freed.

Signed-off-by: Casey Dahlin <cdahlin@xxxxxxxxxx>
Signed-off-by: David Teigland <teigland@xxxxxxxxxx>

diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index cdb580a..618a60f 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -902,7 +902,7 @@ static void tcp_connect_to_sock(struct connection *con)
int result = -EHOSTUNREACH;
struct sockaddr_storage saddr, src_addr;
int addr_len;
- struct socket *sock;
+ struct socket *sock = NULL;

if (con->nodeid == 0) {
log_print("attempt to connect sock 0 foiled");
@@ -962,6 +962,8 @@ out_err:
if (con->sock) {
sock_release(con->sock);
con->sock = NULL;
+ } else if (sock) {
+ sock_release(sock);
}
/*
* Some errors are fatal and this list might need adjusting. For other

commit c78a87d0a1fc885dfdbe21fd5e07787691dfb068
Author: David Teigland <teigland@xxxxxxxxxx>
Date: Thu Jun 18 13:20:24 2009 -0500

dlm: fix plock use-after-free

Fix a regression from the original addition of nfs lock support
586759f03e2e9031ac5589912a51a909ed53c30a. When a synchronous
(non-nfs) plock completes, the waiting thread will wake up and
free the op struct. This races with the user thread in
dev_write() which goes on to read the op's callback field to
check if the lock is async and needs a callback. This check
can happen on the freed op. The fix is to note the callback
value before the op can be freed.

Signed-off-by: David Teigland <teigland@xxxxxxxxxx>

diff --git a/fs/dlm/plock.c b/fs/dlm/plock.c
index 894a32d..16f682e 100644
--- a/fs/dlm/plock.c
+++ b/fs/dlm/plock.c
@@ -353,7 +353,7 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count,
{
struct dlm_plock_info info;
struct plock_op *op;
- int found = 0;
+ int found = 0, do_callback = 0;

if (count != sizeof(info))
return -EINVAL;
@@ -366,21 +366,24 @@ static ssize_t dev_write(struct file *file, const char __user *u, size_t count,

spin_lock(&ops_lock);
list_for_each_entry(op, &recv_list, list) {
- if (op->info.fsid == info.fsid && op->info.number == info.number &&
+ if (op->info.fsid == info.fsid &&
+ op->info.number == info.number &&
op->info.owner == info.owner) {
+ struct plock_xop *xop = (struct plock_xop *)op;
list_del_init(&op->list);
- found = 1;
- op->done = 1;
memcpy(&op->info, &info, sizeof(info));
+ if (xop->callback)
+ do_callback = 1;
+ else
+ op->done = 1;
+ found = 1;
break;
}
}
spin_unlock(&ops_lock);

if (found) {
- struct plock_xop *xop;
- xop = (struct plock_xop *)op;
- if (xop->callback)
+ if (do_callback)
dlm_plock_callback(op);
else
wake_up(&recv_wq);

commit a566a6b11c86147fe9fc9db7ab15f9eecca3e862
Author: Steven Whitehouse <swhiteho@xxxxxxxxxx>
Date: Mon Jun 15 08:26:48 2009 +0100

dlm: Fix uninitialised variable warning in lock.c

CC [M] fs/dlm/lock.o
fs/dlm/lock.c: In function ‘find_rsb’:
fs/dlm/lock.c:438: warning: ‘r’ may be used uninitialized in this function

Since r is used on the error path to set r_ret, set it to NULL.

Signed-off-by: Steven Whitehouse <swhiteho@xxxxxxxxxx>
Signed-off-by: David Teigland <teigland@xxxxxxxxxx>

diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
index 205ec95..eb507c4 100644
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -435,7 +435,7 @@ static int search_rsb(struct dlm_ls *ls, char *name, int len, int b,
static int find_rsb(struct dlm_ls *ls, char *name, int namelen,
unsigned int flags, struct dlm_rsb **r_ret)
{
- struct dlm_rsb *r, *tmp;
+ struct dlm_rsb *r = NULL, *tmp;
uint32_t hash, bucket;
int error = -EINVAL;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel GlÃckner: "[PATCH v3] gpiolib: allow poll(2) on gpio value"
Previous message: Raistlin: "Re: RFC for a new Scheduling policy/class in the Linux-kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]